This chapter is from the book

This chapter is from the book

Should Reverse Engineering Be Illegal?

Because reverse engineering can be used to reconstruct source code, it walks a fine line in intellectual property law. Many
software license agreements strictly forbid reverse engineering. Software companies fear (and rightly so) that their trade
secret algorithms and methods will be more directly revealed through reverse engineering than they are through external machine
observation. However, there is no general-purpose law against reverse engineering.

Because reverse engineering is a crucial step in removing copy protection schemes, there is some confusion regarding its legality.
Patching software to defeat copy protection or digital rights management schemes is illegal. Reverse engineering software
is not. If the law changes and reverse engineering is made illegal, then a serious blow will be dealt to the common user of
software (especially the common and curious user). A law completely outlawing reverse engineering would be like a law making
it illegal to open the hood of your car to repair it. Under such a system, car users would be required by law to go to the
dealership for all repairs and maintenance.
[2]

Software vendors forbid reverse engineering in their license agreements for many reasons. One reason is that reverse engineering
does, in fact, more obviously reveal secret methods. But all this is a bit silly, really. To a skilled reverse engineer, looking
at the binary machine code of a program is just as good as having the source code. So the secret is already out, but in this
case only specialists can "read" the code. Note that secret methods can be defended through means other than attempting to
hide them from everyone but specialists in compiled code. Patents exist specifically for this purpose, and so does copyright
law. A good example of properly protecting a program can be found in the data encryption algorithms domain. To be acceptable
as actually useful and powerful, encryption algorithms must be published for the cryptographic world to evaluate. However,
the inventor of the algorithm can maintain rights to the work. Such was the case with the popular RSA encryption scheme. Also
note that although this book is copyrighted, you are allowed to read it and understand it. In fact, you're encouraged to do
so.

Another reason that software vendors would like to see reverse engineering made illegal is to prevent researchers from finding
security flaws in their code. Quite often security researchers find flaws in software and report them in public forums like
bugtraq. This makes software vendors look bad, hurts their image, and damages their reputation as upstanding software vendors.
(It also tends to make software improve at the same time.) A well-established practice is for a security specialist to report
a flaw to the vendor and give them a reasonable grace period to fix the bug before its existence is made public. Note that
during this grace period the flaw still exists for more secretive security specialists (including bad guys) to exploit. If
reverse engineering is made illegal, then researchers will be prevented from using a critical tool for evaluating the quality
of code. Without the ability to examine the structure of software, users will be forced to take the vendor's word that the
software is truly a quality product.
[3]
Keep in mind that no vendor is currently held financially liable for failures in its software. We can thus trust the vendor's
word regarding quality as far as it impacts their bottom line (and no farther).

The Digital Millennium Copyright Act (DMCA) explicitly (and controversially) addresses reverse engineering from the perspective of copyright infringement and software
cracking. For an interesting view of how this law impacts individual liberty, check out Ed Felten's Web site at http://www.freedomtotinker.com.

When you purchase or install software, you are typically presented with an end-user license agreement (EULA) on a click-through
screen. This is a legal agreement that you are asked to read and agree to. In many cases, simply physically opening a software
package container, such as the box or the disk envelope, implies that you have agreed to the software license. When you download
software on-line, you are typically asked to press "I AGREE" in response to a EULA document displayed on the Web site (we
won't get into the security ramifications of this). These agreements usually contain language that strictly prohibits reverse
engineering. However, these agreements may or may not hold up in court [Kaner and Pels, 1998].

The Uniform Computer Information Transactions Act (UCITA) poses strong restrictions on reverse engineering and may be used
to help "click through" EULA's stand-up in court. Some states have adopted the UCITA (Maryland and Virginia as of this writing),
which strongly affects your ability to reverse engineer legally.